If you have followed the steps for configuring EAP and are encountering problems, there are only a few things that go wrong. This article goes through the most common issues and how to fix them.
Server unresponsive after sending request
Problem: A lot of text scrolls by, the server sends an Access-Challenge, and then prints out a message saying
Cleaning up request ...
After that, nothing more happens. The debug output will likely contain a message about unknown CA.
Diagnosis: The client does not like the server certificate, or the CA which issued that certificate.
Solution: On a testing system, un-check Validate Server Certificate as noted in the EAP page.
Solution: On a production system, ensure that the client has been configured with the certificates from the proper Certificate Authority and Server certificate, as noted in the EAP page.
Solution: On a production system, ensure that the client has Server certificate has the proper “TLS Web server” OID’s (Object Identifiers). (Yes, EAP needs a “web server” certificate. That decision was made 20 years ago, and can’t be changed now.)
Don’t worry, the FreeRADIUS certificate creation scripts in /etc/raddb/certs/ create the certificates with the proper information. Unless you already have a certificate management system, these certificate creation scripts should always be used to create RADIUS certificates.
See also KB-814394. Note that we do not necessarily agree with their explanations, but the fix does appear to work.
Server sends Access-Reject
Problem: The server sends an Access-Reject.
Diagnosis: The password entered on the client does not match the “known good” password that the server has.
Solution: Double-check that the passwords are the same. Use the simplest possible configuration to do this.
Other issues
Problem: The Windows client still won’t connect.
Diagnosis: If none of the above fixes work, and you still see the Access-Challenge sent… and then nothing, the problem is some kind of Windows magic.
Solution: Enable EAPHost Tracing.
To enable tracing, run the following commands from a privileged command prompt (i.e. as Administrator):
netsh wlan set tra yes netsh ras set tr * en
After the problem has been reproduces (using one login attempt), tracing can be disabled by:
netsh ras set tr * dis netsh wlan set tra no
The output files (*.etl) will be in the %2Ewindir%2E\tracing\wireless\ directory, usually in various subdirectories. The .etl files can be converted to .txt files via the following command:
tracerpt
The final files can put put on a web page, and questions posted to the freeradius-users list.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
Creating server certificates for FreeRADIUS
Once the initial EAP testing has been performed, it's time to create the production-grade server certificates for your FreeRADIUS environment. These certificates form the foundation of secure communications in your production network and will be configured on the end hosts using PEAP, TTLS, or EAP-TLS authentication.
Command line testing for EAP with FreeRADIUS
As part of the process of configuring EAP for FreeRADIUS, you will need to test whether or not it works. If you prefer to use a command line tool rather than clicking through windows, this article walks through the steps for testing your EAP configuration.